yaxpeax

a few things i talk about and hack on refer to The Yaxpeax Project. or, just “yaxpeax”. yaxpeax-arch talks about “shared traits … from the yaxpeax project”. it’s worth saying explicitly what the thing is or isn’t.

my thesis is that most programs are not inherently more difficult to work with (e.g. read, write, modify) as machine code than as source code it was compiled from. where machine code seems dense, this is a consequence of decades of neglect and missing tooling. aspirationally, “yaxpeax” is what i think could support high-quality tooling for that category of problem.

realistically, “yaxpeax” is a pile of disassemblers and their partial integration into a library for control-flow and data-flow analysis.

even this, it seems, is enough to have a twinkle of promise!!

• Довер´яй, но провер´яй: SFI safety for native-compiled Wasm was a paper accompanying VeriWasm, a tool to verify the isolation properties of native-compiled WebAssembly modules by analyzing produced machine code as a black box. this requires both disassembling the native-compiled code and reasoning about the relationships of values - addresses and otherwise. yaxpeax-core provided enough control flow analysis they could (mostly) directly use it.

… though that’s the best and only example of code analysis being as useful as i’d hope, so far. this is why “yaxpeax” as a project is fuzzy, and i primarily talk about it as a pile of disassemblers; those are neatly-scoped with a simple enough interface, and are reusable.

• for disassembly in an example of annotating perf data
• for disassembly in analyzing minidump crash files’ code for hints of crash causes
• for disassembly in part of a coverage-guided fuzzer

and in some uses of my own - of course i find nails for my hammer:

• yaxpeax-dis, as a “please try to disassemble this” tool, including all* yaxpeax-supporting disassemblers * “all” meaning best effort :)
• dis.yaxpeax.net, same as the above, but as a website
• yaxpeax-eval, for disassembly and debug viewing of executed machine code
• yaxpeax-demo, a one-off example of disassembly and code analysis with yaxpeax-core.
• zvm, for disassembly of jitted JVM bytecode

but the real place i hope to find yaxpeax one day is to be used for analysis tasks like

 

constructing an SSA-style representation of machine code, in turn letting me (or you!!!) get value anlyses,

 

anyway, between Then and Now.. Ghidra has become an entire thing. Binary Ninja still exists and continues improving. maybe yaxpeax ends up just a pile of neat disassemblers and toys demos in my (ha ha) spare time.